Back to overview

CVE-2026-62189

HIGH
7.1
CVSS 3.1
Description
OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.

Metadata

CVE ID
CVE-2026-62189
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-13 16:36 UTC
Published
2026-07-13 21:30 UTC
Last updated
2026-07-13 21:30 UTC
Primary CWE
CWE-59
Improper Link Resolution Before File Access ('Link Following…
Vendor / Product
OpenClaw / OpenClaw
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected products (1)
VendorProductPlatformVersions
OpenClaw OpenClaw 0 < 2026.6.9, 2026.6.9
Weakness (CWE)
CWESourceDescription
CWE-367 cna Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-59 cna Improper Link Resolution Before File Access ('Link Following')
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
References (2)
Back to overview